DET0546: Detection of Abused or Compromised Cloud Accounts for Access and Persistence
This detection strategy matters because compromised or abused cloud accounts can give an adversary legitimate-looking access to cloud services, SaaS applic...
Analyst context for executives and security teams
This detection strategy matters because compromised or abused cloud accounts can give an adversary legitimate-looking access to cloud services, SaaS applications, identity providers, and office suites. For leaders, the key issue is not only account takeover, but whether the organization can prove it would notice abnormal use of valid cloud identities before that access becomes persistent or privileged.
Executive priority
Prioritize this as an identity and cloud resilience issue. The related ATT&CK technique, Cloud Accounts (T1078.004), spans initial access, persistence, privilege escalation, and stealth/defense evasion. Executives should ask whether cloud identity activity is centrally logged, retained, monitored, and usable during incident response, especially for privileged, service, remote support, and hybrid-synced accounts.
Technical view
ATT&CK provides no official description or detection logic for DET0546, so teams should validate coverage against the related behavior: abuse of valid cloud accounts across IaaS, Identity Provider, Office Suite, and SaaS environments. SOC and IR teams should focus on whether they can correlate authentication, authorization, account changes, privilege changes, and cloud/SaaS control-plane activity to a specific identity over time.
Likely telemetry
- Identity provider sign-in and audit logs
- Cloud provider control-plane or API activity logs
- SaaS and office suite audit logs
- Account creation, modification, disablement, and deletion records
- Privilege, role, group, and administrative assignment changes
Detection direction
- Validate monitoring for abnormal use of valid cloud accounts rather than only failed logins or malware indicators.
- Tune detections around privileged account changes, new persistence paths, unusual administrative actions, and access from unexpected context, while accounting for legitimate remote support and service-account activity.
- Confirm that identity, SaaS, and IaaS logs can be joined by user, service principal/account, session, source, and timestamp during investigations.
- Review blind spots for cloud-only accounts, hybrid-synced accounts, service accounts, and administrative accounts that may not follow normal user behavior.
- Because MITRE provides no official detection text for this object, treat local baselining, log availability, and environment-specific policy context as required for reliable detection.
Mitigation priorities
- Inventory cloud, SaaS, office suite, identity provider, service, remote support, privileged, and hybrid-synced accounts.
- Ensure high-value cloud accounts have appropriate authentication, authorization, lifecycle, and review controls.
- Centralize and retain identity and cloud audit telemetry needed for SOC monitoring and incident response evidence.
- Regularly review privileged role assignments, dormant accounts, service accounts, and cloud-only accounts.
- Test incident response procedures for suspected cloud account compromise, including containment, credential/session revocation, and evidence preservation.
Analyst notes and limits
The decision value of DET0546 is coverage validation: can the organization detect suspicious use of legitimate cloud identities across the services where business operations live? This is especially relevant to managed detection, cloud security, IAM, IR readiness, and compliance evidence because the related technique uses valid accounts and may blend with normal administration.
The supplied ATT&CK object has no official description, detection text, platforms, or tactics of its own. Platform and tactic context comes from the stated relationship to T1078.004 Cloud Accounts. No active exploitation, attribution, impact, or guaranteed detection coverage is implied.
Detection of Abused or Compromised Cloud Accounts for Access and Persistence
No official description is available in the imported ATT&CK source object.
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1078.004 | Cloud Accounts Sub-technique | This object detects Cloud Accounts. |
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.0 | Current bundle | e201c6d9f9ff… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
mitre-attack DET0546Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.